Rx2000HIPAA Digest, Volume 38 #1 From: lisa.cavitt@sih.net Subject: Off site storage of backups. #2 From: alex_brittin@McKennaCuneo.com Subject: RE: Chain of Trust #3 From: David.Foley@ps.net Subject: RE: Faxes and PID #4 From: dafeinberg@home.com Subject: Latest HIPAA Transactions and Code Sets Rule Information #5 From: dafeinberg@home.com Subject: Fw: HIPAA Final Rule for Transactions and Code Sets Signed #6 From: paulsmith@dwt.com Subject: RE: Faxes and PID #7 From: bjgold@goldenacres.org Subject: Policy/Procedures #8 From: lisa.cavitt@sih.net Subject: Re: Policy/Procedures ********** Message #1 ********** From: lisa.cavitt@sih.net To: Rx2000HIPAA@rx2000.org Subject: Off site storage of backups. Date: Fri, 21 Jul 2000 08:23:06 -0500 We are currently in the process of designing a new off site storage area in a building that will be renovated. We had originally requested a cinder block vault with its own environmental control system and a 4 hour fire rating. Our designer does not think that this configuration will be needed. Would anyone like to share the physical characteristics of their off-site storage is currently or will be setup due to HIPPA/JHACO? Thanks Lisa R. Cavitt Information Services Southern Illinois Healthcare 1385 E Main Street Carbondale, Il 62901 Fax: 618-529-7311 E-Mail: lisa.cavitt@sih.net ********** Message #2 ********** From: alex_brittin@McKennaCuneo.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Chain of Trust Date: Fri, 21 Jul 2000 11:10:01 -0400 There is no simplistic or easy solution to the problem created by the proposed requirement for a chain of trust or business partner agreement. This was and is one of the most controversial aspects of the proposed regulations. The most that can offered is a template of a chain of trust or business partner agreement. To see examples of similar agreements, go to any legal form book on contract agreements. (This is what many lawyers do when their clients ask for agreements.) Then just change some of the language in the form agreement to mirror the requirements in the proposed security or privacy regulations. The problem, however, is that you must understand all of the risks to your organization created by these agreements. Each organization (covered entities and business partners) will have unique needs and demands. Any form agreement you use must be tailored to your organization. Take for example a standard contract clause like Limitation on Liability. You can find this in almost any form book of agreements. In the health care setting, most business partners currently have contracts that specifically limit their liability in the event of breach to the value of the contract. (Other damages are covered by insurance.) After the HIPAA regulations are final, it is likely that business partners will want to continue to limit their liability to the contract value. However, no covered entity will or should agree to such a limitation on damages. If their business partner discloses protected information, then an individual or class of individuals will bring an action against both the business partner and the covered entity. Limiting the covered entity's damages to the value of the contract could subject the covered entity to an open ended commitment. Thus, no form agreement will give you a solution to this type of problem, nor will it explain the problem in a way that will allow you to protect your organization. In fact, everyone should consider who prepared the proposed form agreement. For example, if a form agreement is prepared by vendors or an association of vendors, no provider should use it without significant changes. Other unique issues arise in the area of HIPAA clauses versus separate HIPAA contacts. In other words, should security and privacy clauses be added to existing, or underlying contracts, or should they be free standing agreements. While I have my own personal view on that issue, each organization will need to address its unique needs. How this is addressed may vary even among covered entities. I could go on through the various terms of a contract: disputes (arbitration v. courts), indemnity, etc. and find similar questions and issues. Chain of trust and business partner agreements will have to be prepared and negotiated like other agreements. An organization should establish a matrix of mandatory conditions that they must include in all agreements. They should also identify conditions that they would like but are willing to forgo in negotiations. This process must take into account insurance provisions, indemnity language and the potential risk posed by the particular business partner (longstanding partner versus new partners). Given the potentially high risk associated with breaches of privacy and security, these agreements should be give considerable care and attention. Alexander J. Brittin McKenna & Cuneo, LLP 1900 K Street, NW Washington, DC 20006-1108 (202)496/7726 (voice) (202)496/7756 (fax) alex_brittin@mckennacuneo.com http://www.mckennacuneo.com http://PrivacySecurityNetwork.com/Healthcare alex_brittin@mckennacuneo.com:46 -----Original Message----- From: Rx2000HIPAA@rx2000.org [ mailto:Rx2000HIPAA@rx2000.org ] Sent: Thursday, July 20, 2000 11:18 AM To: Rx2000HIPAA@rx2000.org Subject: Re: Chain of Trust Look to www.wedi.org under SNIP and www.afehct.org for developments in this area. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #3 ********** From: David.Foley@ps.net To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Faxes and PID Date: Mon, 24 Jul 2000 10:45:26 -0500 To take this one step further, it is not necessarily the mode of transmission that determines whether the information is covered by HIPAA, but rather the SOURCE of the information. If the information has ever been held in a computerized format, then it is covered by HIPAA. Therefore, a fax of a computer printout would be covered by the regulations. A fax of handwritten information obtained during triage would not necessarily be covered under the regs. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 29, 2000 8:34 AM To: Rx2000HIPAA@rx2000.org Subject: Re: Faxes and PID Tom, QA folks are by nature very cautious people ... it's their job. But: FAX's are not prohibited under HIPAA. I am not aware of any method of transmission that is specifically prohibited under HIPAA. Just that transmissions must be secured and protected (and encrypted if over an open network). FAX machines can be password protected and FAX's encrypted, so I don't understand where they get the evidence for their stance. Also, FAX's sent from FAX machine to FAX machine are excluded in HIPAA. FAX's sent from computer to computer are included under HIPAA. Good luck The above comments are my opinion only and do not reflect the opinion of my employer or clients, nor is the above meant as HIPAA compliance advice. Errick Woosley 3X HCSG (513) 587-3100 ********** Message #4 ********** From: dafeinberg@home.com To: "RX2000 HIPAA List Server" Subject: Latest HIPAA Transactions and Code Sets Rule Information Date: Tue, 25 Jul 2000 08:42:45 -0700 A reliable source, Tom Gilligan, Executive Director and Washington Representative of the Association for Electronic Health Care Transactions (AFEHCT), announced on Monday that DHHS expects the publication of the final HIPAA rule for Transactions and Code Sets to be in the Federal Register by July 28th. As of this writing, no official confirmation from DHHS nor HCFA is available. The Office of Management and Budget (OMB) and DHHS have apparently reached an agreement regarding OMB's future review of the Transactions and Code Sets rule under the Paperwork Reduction Act. Changes to the final rule as part of this agreement have been characterized in another report as "marginal." Dave Feinberg Co-Chair, HIPAA Implementation Work Group Insurance Subcommittee Accredited Standards Committee X12 Voting Member, HL7 and X12 Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org ********** Message #5 ********** From: dafeinberg@home.com To: "RX2000 HIPAA List Server" Subject: Fw: HIPAA Final Rule for Transactions and Code Sets Signed Date: Tue, 25 Jul 2000 14:21:17 -0700 I just received the following message from Gary Beatty, the chair of X12N. Dave Feinberg Co-Chair, HIPAA Implementation Work Group Insurance Subcommittee Accredited Standards Committee X12 Voting Member, HL7 and X12 Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org ================================================ All issues relative to the final rule for the HIPAA Transactions and Code Sets have now been resolved and the Secretary of Health and Human Services, Donna E. Shalala has signed the final rule. This does not yet start the 26 month implementation clock yet though. The final rule still has to get its official signature from the Office of Management and Budget (OMB) and be placed on public display for two business days prior to being officially published within the Federal Register. The absolute earliest this could happen would be this Friday, although most likely it will be early next week. I would like to congratulate everyone within the Federal Government involved in putting out this first HIPAA final rule. Your efforts are very much appreciated. I would also like to thank all those who have been involved within X12 and the X12N Insurance Subcommittee in developing the X12 standards and the implementation guides to meet the needs of this legislation. Without your voluntary efforts and the support of your organizations this would not be possible. My many thanks. Sincerely, Gary A. Beatty Chair X12N Insurance Subcommittee ********** Message #6 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Faxes and PID Date: Wed, 26 Jul 2000 14:41:08 -0700 An interesting question is whether a covered entity has to treat information as protected if it existed in electronic format in the hands of some other covered entity, but not in the hands of the covered entity in question. For example, if a provider receives a paper fax of a computer print-out from another provider, does the recipient have to treat the information as protected? The proposed regs are not explicit; I would argue that they cannot practically be interpreted in the manner suggested, because it would require the receiving provider to determine the status of the sending entity under the regs (as you know, for example, not all providers are covered entities), as well as the status of any other entity that might have held the information, and to trace the provenance of every piece of health care information it received from another entity. I know the practical solution is to treat all identifiable health care information as protected, but it would still be nice to know the extent of one's legal obligations. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Monday, July 24, 2000 8:45 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Faxes and PID To take this one step further, it is not necessarily the mode of transmission that determines whether the information is covered by HIPAA, but rather the SOURCE of the information. If the information has ever been held in a computerized format, then it is covered by HIPAA. Therefore, a fax of a computer printout would be covered by the regulations. A fax of handwritten information obtained during triage would not necessarily be covered under the regs. ********** Message #7 ********** From: bjgold@goldenacres.org To: HIPAA listserv Subject: Policy/Procedures Date: Wed, 26 Jul 2000 17:40:41 -0500 Has anyone seen a boilerplate policy/procedure manual that can be modified for a nursing home setting? I hate to start from scratch if there is something out there we can use. Thanks, Barbara Goldstein Information Coordinator Dallas Home for Jewish Aged, Golden Acres Campus bjgold@goldenacres.org ********** Message #8 ********** From: lisa.cavitt@sih.net To: Rx2000HIPAA@rx2000.org Subject: Re: Policy/Procedures Date: Fri, 28 Jul 2000 11:34:14 -0500 Have you looked at the WWW.enhac.org web site? They have a tool kit with several examples of security manuals from several healthcare institutions. Lisa R. Cavitt Information Services Southern Illinois Healthcare E-Mail: lisa.cavitt@sih.net Original Message: Has anyone seen a boilerplate policy/procedure manual that can be modified for a nursing home setting? I hate to start from scratch if there is something out there we can use. Thanks, Barbara Goldstein Information Coordinator Dallas Home for Jewish Aged, Golden Acres Campus bjgold@goldenacres.org